CVE-2025-64702

EUVD-2025-202714
quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
GitHub_MCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 19%
Affected Products (NVD)
VendorProductVersion
quic-go_projectquic-go
𝑥
< 0.57.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-github-lucas-clemente-quic-go
bookworm
no-dsa
bullseye
no-dsa
forky
vulnerable
sid
vulnerable
trixie
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-github-lucas-clemente-quic-go
jammy
needs-triage
noble
needs-triage
plucky
ignored
questing
needs-triage
Common Weakness Enumeration
References
https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8
https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6